Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add two query results in xml dashboard?

harishalipaka
Motivator
‎03-15-2019 12:46 AM

Hi All,

I am giving a dummy dashboard based on this i will explain what i want..

<form>
  <label>test_hari</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="field1">
      <label>field1</label>
    </input>
    <input type="dropdown" token="field2">
      <label>field2</label>
    </input>
    <input type="time" token="time1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>vot</title>
        <search id="votquery">
          <query>index="_internal" |stats count as vot by action, host</query>
          <earliest>$time1.earliest$</earliest>
          <latest>$time1.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>LT</title>
        <search id="ltquery">
          <query>index="_internal" |stats count as LT by host</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

O had two tables VOT , LT

And i want another table with Total=VOT+LT

Note:- I don't want to use join or append those two queries.like query1 |append [search query2]
I need to pass two tokens from dropdown So i can't use init on the page load,Just i want to store those query results .
Once that query1 executed just i reuse those results only i dont want to run again and again..

please help me for this ,thanks in Advance.

Thanks
Harish
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-15-2019 02:35 AM

@harishalipaka

loadjob might help you to combine results from multiple panels and populate 3rd panel.

Ref: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/loadjob

Can you please check below example?

<dashboard>
  <label>Sample Dashboard</label>
  <row>
    <panel>
      <title>Panel 1</title>
      <table>
        <search>
          <query>| makeresults count=10 | eval no=1 | accum no</query>
          <finalized>
            <condition>
              <set token="JobSid1">$job.sid$</set>
            </condition>
          </finalized>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Panel 2</title>
      <table>
        <search>
          <query>| makeresults count=10 | eval no=5 | accum no</query>
          <finalized>
            <condition>
              <set token="JobSid2">$job.sid$</set>
            </condition>
          </finalized>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| loadjob $JobSid1$ | append [ | loadjob $JobSid2$ ]</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

Thanks

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-15-2019 02:35 AM

@harishalipaka

loadjob might help you to combine results from multiple panels and populate 3rd panel.

Ref: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/loadjob

Can you please check below example?

<dashboard>
  <label>Sample Dashboard</label>
  <row>
    <panel>
      <title>Panel 1</title>
      <table>
        <search>
          <query>| makeresults count=10 | eval no=1 | accum no</query>
          <finalized>
            <condition>
              <set token="JobSid1">$job.sid$</set>
            </condition>
          </finalized>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Panel 2</title>
      <table>
        <search>
          <query>| makeresults count=10 | eval no=5 | accum no</query>
          <finalized>
            <condition>
              <set token="JobSid2">$job.sid$</set>
            </condition>
          </finalized>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| loadjob $JobSid1$ | append [ | loadjob $JobSid2$ ]</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

Thanks

Reply
Solved! Jump to solution

harishalipaka
Motivator
‎03-15-2019 03:29 AM

hi @kamlesh ji

that is fine,but am getting this error Error in 'SearchOperator:loadjob': Artifacts are unavailable because the job (job_id='byd_line0_admin_YnlkX2xpbmUwX2FkbWlu_YnlkX2xpbmUw__search9_1552645537.487912_8303C2C4-C724-4485-878E-DA1E31862275') is still running.

In my case those search will take more time

Thanks
Harish
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-15-2019 04:11 AM

@harishalipaka

Can you please change <finalized> with <done> and try again?

0 Karma
Reply
Solved! Jump to solution

harishalipaka
Motivator
‎03-15-2019 04:47 AM

yes @kamlesh_vaghela ji,

i am also tried like this .Its working now
And one doubt is it working for all users are only for owner of that dashboard..?

ThanQ

Thanks
Harish
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-15-2019 05:05 AM

@harishalipaka

It's depending on which permissions you gave to dashboard. But I think you have a confusion bcoz here we have used loadjob. I have assigned read permission to all roles and I'm able to access the dashboard with user role.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top